CVE-2026-45727
CloakBrowser: Unauthenticated path traversal via fingerprint parameter in cloakserve leads to arbitrary directory deletion
Description
The `cloakserve` CDP multiplexer uses the user-supplied `fingerprint` query parameter directly as a filesystem path component when creating Chrome profile directories. An unauthenticated attacker who can reach the cloakserve port can supply a crafted `fingerprint` value containing path traversal sequences to resolve `user_data_dir` outside the configured `data_dir`. When Chrome fails to start or the process is cleaned up, `shutil.rmtree()` deletes the traversed path, resulting in arbitrary directory deletion. Additionally, `cloakserve` bound to `0.0.0.0` by default, making it network-exposed. ### Impact An attacker with network access to the cloakserve port can delete arbitrary directories accessible to the service user. ### Patches Fixed in v0.3.28. ### Mitigations - Upgrade to v0.3.28 or later - Restrict network access to the cloakserve port
How to fix CVE-2026-45727
To remediate CVE-2026-45727, upgrade the affected package to a fixed version below.
- —upgrade to 0.3.28 or later
Is CVE-2026-45727 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 0.3.28
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N |